1. Fix https redirect that was being shorted by express.static
2. disable 'x-powered-by' header 3. fix hsts header 4. modify CSP to explicitly forbid framing 5. Add helmet.frameguard
This commit is contained in:
Christopher De Cairos
Родитель
a9e486a296
Коммит
f530fd1187
|
|
@ -28,6 +28,12 @@ export default {
|
||||||
connectSrc: [
|
connectSrc: [
|
||||||
`'self'`,
|
`'self'`,
|
||||||
env.PULSE_API || `https://network-pulse-api-staging.herokuapp.com/`
|
env.PULSE_API || `https://network-pulse-api-staging.herokuapp.com/`
|
||||||
|
],
|
||||||
|
childSrc: [
|
||||||
|
`'none'`
|
||||||
|
],
|
||||||
|
frameAncestors: [
|
||||||
|
`'none'`
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
reportOnly: false,
|
reportOnly: false,
|
||||||
|
|
|
||||||
26
server.js
26
server.js
|
|
@ -20,6 +20,9 @@ import env from "./config/env.generated.json";
|
||||||
const defaultPort = 3000;
|
const defaultPort = 3000;
|
||||||
const PORT = env.PORT || process.env.PORT || defaultPort;
|
const PORT = env.PORT || process.env.PORT || defaultPort;
|
||||||
|
|
||||||
|
// disable x-powered-by
|
||||||
|
app.disable('x-powered-by');
|
||||||
|
|
||||||
// Some app security settings
|
// Some app security settings
|
||||||
|
|
||||||
app.use(helmet.contentSecurityPolicy(securityHeaders));
|
app.use(helmet.contentSecurityPolicy(securityHeaders));
|
||||||
|
|
@ -30,25 +33,38 @@ app.use(helmet.xssFilter({
|
||||||
|
|
||||||
// maxAge for HSTS header must be at least 18 weeks (see https://hstspreload.org/)
|
// maxAge for HSTS header must be at least 18 weeks (see https://hstspreload.org/)
|
||||||
app.use(helmet.hsts({
|
app.use(helmet.hsts({
|
||||||
maxAge: 60 * 60 * 24 * 7 * 18 // 18 weeks in seconds
|
maxAge: 60 * 60 * 24 * 7 * 18, // 18 weeks in seconds
|
||||||
|
setIf: (req, res) => {
|
||||||
|
if (req.headers['x-forwarded-proto'] && req.headers['x-forwarded-proto'] === "https") {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
},
|
||||||
|
includeSubDomains: true,
|
||||||
|
preload: true
|
||||||
}));
|
}));
|
||||||
|
|
||||||
app.use(helmet.ieNoOpen());
|
app.use(helmet.ieNoOpen());
|
||||||
|
|
||||||
app.use(helmet.noSniff());
|
app.use(helmet.noSniff());
|
||||||
|
|
||||||
app.use(express.static(path.resolve(__dirname, `dist`)));
|
app.use(helmet.frameguard({
|
||||||
|
action: 'deny'
|
||||||
|
}));
|
||||||
|
|
||||||
// make sure that heroku content is always on https
|
// make sure that heroku content is always on https
|
||||||
// (or really, anything that relies on x-forwarded-proto)
|
// (or really, anything that relies on x-forwarded-proto)
|
||||||
const checkHTTPS = (req, res, next) => {
|
app.use((req, res, next) => {
|
||||||
if(req.headers['x-forwarded-proto'] && req.headers['x-forwarded-proto'] === "http") {
|
if(req.headers['x-forwarded-proto'] && req.headers['x-forwarded-proto'] === "http") {
|
||||||
return res.redirect("https://" + req.headers.host + req.url);
|
return res.redirect("https://" + req.headers.host + req.url);
|
||||||
}
|
}
|
||||||
next();
|
next();
|
||||||
};
|
});
|
||||||
|
|
||||||
app.get(`*`, checkHTTPS, (req, res) => {
|
app.use(express.static(path.resolve(__dirname, `dist`)));
|
||||||
|
|
||||||
|
app.get(`*`, (req, res) => {
|
||||||
match({ routes: routes, location: req.url }, (err, redirect, props) => {
|
match({ routes: routes, location: req.url }, (err, redirect, props) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
res.status(500).send(err.message);
|
res.status(500).send(err.message);
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче